LUMAX
Active Directory User Maintenance
|
 Download Lumax Version 1.9.2 |
Lumax is a free tool for Active Directory environments which provides important properties of user or computer accounts in a simple, fast and easy view. |
The characteristics of users, workstations and other objects are evaluated using the LDAP protocol from the relevant AD domain controllers. The following information is displayed with LUMAX:
 |
Object Name |
|
Login Name This is the NetBIOS name of the logon account, as it is used in credentials in the form of 'Domain\LoginName'. This property is stored in the directory in the LDAP attribute 'sAMAccountName'. |
|
User Principal Name This is the modern UPN logon name of the account in the format 'LoginName@domain.com'. This property is stored in the directory in the LDAP attribute 'userPrincipalName'. |
|
Disabled If an account is deactivated, an 'x' is shown here. For this purpose, the LDAP attribute 'userAccountControl' is evaluated. |
|
Locked If an account is locked by the intruder detection, just an 'x' is shown here, together with an indication of how long the lock-out will last. For this purpose, the LDAP attributes 'lockoutTime' is evaluated taking into account the domain-wide settings and also any existing password policies with different settings that apply to the account. |
|
Last Logon This is the time of last login in the domain. The LDAP attribute 'lastLogon' is evaluated here. This attribute is not replicated between domain controllers, therefore LUMAX reads requests the data from all domain controllers and then determines the respective true last logon time. It may be, however, that the credentials can not be determined precisely, eg if a domain controller cannot be reached over the network by LUMAX. In this case, for all accounts only '???' will be displayed. |
|
Created This is the time of the creation of the objects. For this purpose, the LDAP attribute 'whenCreated' is evaluated. |
|
Changed This is the time of the most recent change of the objects. |
|
Expiration This is the account expiration date. Normally, AD account does not expire, but Administrators can set an expiration date for each account. To show the expiration date, the LDAP attribute 'accountExpires' is evaluated. |
|
Pwd Policy Here the name of Fine-Grained Password Policy is listed, if any of these policies are valid for the user. LUMAX evaluates the policy objects in the system container of the directory for this, together with the group memberships of the user. Fine-Grained Password Policies are only supported on Windows Server 2008 and newer. |
|
Pwd Last Set This is the time of the most recent change of the account's password. For this purpose, the LDAP attribute 'pwdLastSet' is evaluated. |
|
Pwd Expiration Date This is the date when the account's password will expire. For this purpose, the LDAP attributes 'pwdLastSet' is evaluated taking into account the domain-wide settings and also any existing password policies with different settings that apply to the account. |
|
Pwd Expired When the password of an account is already expired, an 'x' will be shown here. |
|
Pwd Can't Expire If the flag 'Password never expires' is set for an account, an 'x' will be shown here. For this purpose, the LDAP attribute 'userAccountControl' is evaluated. |
|
Pwd Not Needed If the flag 'Password not needed' is set for an account, an 'x' will be shown here. For this purpose, the LDAP attribute 'userAccountControl' is evaluated. |
|
Pwd Can't Change If the flag 'Password cannot be changed' is set for an account, an 'x' will be shown here. For this purpose, the LDAP attribute 'userAccountControl' is evaluated. |
|
AdminSD Is an account subject to the AdminSDHolder security, an 'x' will be shown here. For this purpose, the LDAP attribute 'adminCount' is evaluated. It indicates that the regarding account is member (or was member) of a high privileged group (Administrators, Domain Admins, Account Operators, Backup Operators...). |
|
Can't Delete If the deletion of an object is basically prevented by the system, an 'x' is shown here. For this purpose, the LDAP attribute 'userAccountControl' is evaluated. |
|
Can't Rename If the renaming of an object is basically prevented by the system, an 'x' is shown here. For this purpose, the LDAP attribute 'userAccountControl' is evaluated. |
|
Can't Move If the move of an object to another directory container is basically prevented by the system, an 'x' is shown here. For this purpose, the LDAP attribute 'userAccountControl' is evaluated. |
|
Main Enabled If a user account has a Exchange mailbox, an 'x' is shown here. For this purpose, the LDAP attribute 'MailNickname' is evaluated. |
|
Mail DB This is the Exchange server mail database where the user's mailbox resides (if the user is mail enabled). For this purpose, the LDAP attribute 'userAccountControl' is evaluated. |
If a property of an object can not be read correctly from the LDAP directory for some reason, only '???' is displayed.
You can use the 'Reload' Button 
or the <F5> key at all times to refresh the display of the account information. If you press the <CTRL> key concurrently, the entire directory hierarchy structure on the left will be updated.
If you launch LUMAX as a user that has already logged onto the domain, then the program will automatically connect to your own domain using LDAP. You can also perform an explicit logon to any Active Directory domain. The only requirement: you have to be able to establish a network connection to a domain controller via LDAP (TCP port 389) or LDAP/SSL (TCP port 636) and you need valid credentials.
You initiate a new connection to an Active Directory domain with the button 
'Connect to other server' - or with the <CTRL-O> key. In the following dialog you have the same options as in creating connections in the tool 'LEX - The LDAP Explorer'. LUMAX can also re-use existing LEX connection profiles.
In the left pane of the LUMAX window the container hierarchy of the currently connected Active Directory namespace is shown. You can use the 'Show Object in all subcontainers' button to configure whether only the objects directly below the currently selected container are shown or any object (also from sub-containers):
In the right pane of the window you can see the objects and their properties in columns. You can always hide/unhide columns and by clicking the right mouse button on the column header of the right window:
You can highlight objects in the list with colors by using the button "Highlight Accounts", eg all users whose last login is older than 4 weeks.
A pull down menu is shown where you can configure, how and with what criteria the highlighting is performed:
LUMAX has a two-stage filter for the display of objects. With the button 'Filter object classes', you can determine whether LUMAX displays only user accounts, only workstations, both together - or all objects. The current configuration is indicated on the button itself:
The button 'Filter Objects' lets you configure that only certain objects are shown by LUMAX, eg only user accounts whose password expires in the next two days.
A pull down menu is shown where you can configure, how and with what criteria the highlighting is performed:
You can export the currently displayed list of directory objects and their properties in a text file or a Microsoft Excel sheet. Use the button 'Export data to file' 
or just <CTRL-S> the shortcut key. It will appear a dialog where you can make additional settings for the export.
If you have an installed version of LEX - The LDAP Explorer on th same machine (minimum LEX v 1.5.000), you can use the LIZA application to open directory objects directly in LEX. This feature enables you for example to change permissions in LEX - LIZA is finally 'just' a read-only tool which can display permissions but not change it.
If you want to handle an object with LEX, just use the option Open in LEX from the context menu in the treeview panel or in the object list (you also could highlight several obejcts here and open all of them them in LEX):
Some important technical details about LUMAX:
and the 'Show Object in all Subcontainers' button 
. If you active the friendly names output, then just the relative objects names are shown - if you display objects recursive in all subcontainers, then LUMAX shows you the container hierarchy in the name output. The
full